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publication and is not binding precedent of the Board. 
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DECISION ON APPEAL 

This is a decision on appeal from the final rejection of claims 1-9, 17-29, and 37. 

The invention pertains to securing cookies in a data processing system, best illustrated 

by reference to representative independent claim 1, reproduced as follows: 

1 . A method in a data processing system for providing access to resources within the 
data processing system, the method comprising the data processing system implemented steps 
of: 

receiving a request from a requestor to access a resource in the data processing 

system; 

sending a first cookie to the requestor in response to the request, wherein the cookie is 
used to access the resource; 
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storing an identification of the requestor and the first cookie to form a stored 
identification and a stored cookie, wherein the identification of the requestor identifies a 
particular data processing system from which the request originated; 

responsive to receiving a second cookie from a source, comparing an identification of 
the source and the second cookie with the stored identification and the stored cookie to 
determine whether the second cookie contains the same information as the first cookie and 
whether the second cookie was received from the particular data processing system; and 

responsive to a match between the identification of the source and the second cookie 
and the stored identification and the stored cookie, allowing access to the resource. 

The examiner relies on the following references: 

Broadhurst et al. (Broadhurst) 6,205,480 Mar. 20, 200 1 

(filed Aug. 19, 1998) 

Grantges, Jr. (Grantges) 6,324,648 Nov. 27, 2001 

(filed Dec. 23, 1999) 

Claims 1-9, 17-29, and 37 stand rejected under 35 U.S.C. § 103. As evidence of 
obviousness, the examiner offers Broadhurst with regard to claims 1-9, 17-29, and 37, but 
adds Grantges with further regard to claim 18. 

Reference is made to the briefs and answer for the respective positions of appellants 
and the examiner. 

OPINION 

The examiner applies Broadhurst to the independent claims as follows: 
The step of "receiving a request. . is said to be taught at Figure 2, part 1 00. The 
step of "sending a first cookie. . ." is said to be taught at Figure 2, part 108. The examiner 
then points to parts 112 and 1 14 in Broadhurst' s Figure 2, in combination with column 4, 
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lines 42-60, to show that the system is responsive to receiving a second cookie from a source, 
comparing an identification of the source and the second cookie with the stored identification 
and the credentials to determine whether the second cookie contains the same information as 
the first cookie and whether the second cookie was received from the particular data 
processing system. The examiner also indicates that these portions of Broadhurst show that 
the system is responsive to a match between the identification of the source and the second 
cookie and the stored identification and the stored cookie, allowing access to the resource. 
The examiner further indicates that Broadhurst' s system allows access depending on the 
authentication information responsive to a match between the identification of the source and 
the second cookie and the stored identification and the stored credentials (see page 4 of the 
answer). 

The examiner recognizes that Broadhurst does not expressly disclose storing the 
cookie, but contends that Broadhurst does store the credentials that can be formed into a 
cookie, at column 3, lines 41-48, and does use the user's identity to form a network credential 
(column 4, lines 20-25). 

Therefore, the examiner concludes that it would have been obvious to use the 
credentials to create a cookie, the motivation being that "this is used in the authentication 
scheme which allows a user to access numerous protected resources with a single 
authentication procedure" (answer-page 4), noting column 2, lines 42-48 of Broadhurst. 
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With specific regard to claim 17, the examiner point to column 3, lines 61-65, of 
Broadhurst for a showing that the system also includes a database of credentials which 
performs that function of the cache. 

Appellants take the position that Broadhurst does not store and compare both an 
identification and a cookie and that Broadhurst provides no motivation to modify its 
described invention in any way to arrive at the instant claimed subject matter. 

We have reviewed the evidence before us, including, inter alia , the disclosure of the 
applied references and the arguments of appellants and the examiner and we conclude 
therefrom that the examiner has not established a requisite case of prima facie obviousness 
under 35 U.S.C. § 103. 

Taking claim 1 as exemplary, the claims require the storage of both an identification 
of a requestor (which identifies a particular data processing system) and a first cookie (that 
was sent to a requestor in response to a request to access a resource). When a second cookie 
is sent from a source, the identification of that source and the second cookie are compared to 
the stored identification and the stored cookie to determine whether the second cookie 
contains the same information as the first cookie and whether the second cookie was received 
from the particular data processing system. 

By comparing for both cookies and that the cookies came from the same source, the 
instant invention provides for additional security than is available from Broadhurst. As 
explained by appellants, at pages 14-15 of the principal brief, this double comparison protects 
against the possibility that some external system may attempt to intercept a cookie and use 
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said cookie for nefarious purposes. While the external system in such a case may have the 
correct cookie to present, access would be denied because the request, or submission of that 
cookie, did not come from the same data processing system that was issued the original 
cookie. 

Turning, now, to Broadhurst, this reference certainly teaches user authentication for 
access to resources, but the generated cookie in Broadhurst is the user identification. While 
the information in the cookie is used to obtain authentication data required by a desired 
application, only the information in the cookie is compared. No separate comparison is made 
in Broadhurst to determine if the request came from the same source that made the request 
that generated the original cookie, as in the instant claimed invention. 

The examiner argues that the disclosure, by Broadhurst, of authenticating by the use 
of X.509 certificates, at column 4, lines 6-19, is suggestive of a digital certificate which is 
used to compare with the user identification. The examiner concludes that this means that a 
user's identification is stored and used later to compare with a requestor's identification 
(answer-page 7). 

As far as the comparison with a stored cookie is concerned, the examiner contends 
that while this is lacking in Broadhurst, the modification in Broadhurst needed to arrive at the 
instant claimed subject matter would have been obvious. In particular, the examiner explains 
that Broadhurst discloses the storing of credentials that can be formed into a cookie (column 
3, lines 41-48). It is the examiner's opinion that this indicates "that even though the 
information for the cookie does not take the form of a cookie it is indeed stored in the 
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directory. This makes the information, required to form the cookie, available for 
transforming into the more identifiable form of a cookie" (answer-page 8). 

The examiner's explanation sounds more like a reason the instant claimed subject 
matter "could" have been obtained, rather than why the artisan "would" have been led to 
arrive at the instant claimed subject matter. Merely because information in Broadhurst is 
"available" to form a cookie, whether true or not, does not mean that there is any suggestion 
in Broadhurst for actually doing so, and then storing the cookie, along with an identification 
of the requestor for later comparison with a second cookie sent from a source, as claimed. 

Moreover, column 3, lines 41-48, of Broadhurst, on which the examiner relies, merely 
indicates that a directory stores information which allows the user's authentication 
information to be mapped into a network credential which includes a role of the user, wherein 
the network credential can be formed into a cookie. However, we agree with appellants (at 
page 5 of the reply brief), that this indicates that the cookie in Broadhurst, which is the user's 
authentication information, is formed after the user's authentication information is received 
by Broadhurst's system. 

As explained by appellants, at page 5 of the reply brief, independent claims 1 and 21 
require "sending a first cookie to the requestor in response to the request, wherein the cookie 
is used to access the resource; storing an identification of the requestor and the first cookie to 
form a stored identification and a stored cookie, wherein the identification of the requestor 
identifies a particular data processing system from which the request originated." 
Accordingly, explain appellants, "Appellants' cookie is a resource access and is stored in 
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addition to the identification of the requestor." Broadhurst appears to only maintain the 
user's authentication information in the form of a cookie and does not store an identification 
of the requestor and the first cookie, which is sent to the requestor in response to the request 
and wherein the cookie is used to access the resource, to form a stored identification and a 
stored cookie. We agree. 

In addition, we agree with appellants (reply brief-page 6) that the cookie created in 
Broadhurst (a map of the user's identity to an intermediate identity and a user role both of 
which are used to form a network credential) is not a cookie sent to the requestor in response 
to the request, wherein the cookie is used to access the resource separately from the 
identification of the requestor. 

Since Broadhurst does not teach or suggest storing and comparing both an 
identification of the requestor and an associated cookie, required by each and every one of 
independent claims 1, 17, 21, and 37, we will not sustain the rejection of claims 1-9, 17-29, 
and 37 under 35 U.S.C. § 103. Further, since Grantges does not appear to provide for the 
deficiencies of Broadhurst, we also will not sustain the rejection of claim 18 under 35 U.S.C. 
§ 1 03 over Broadhurst in view of Grantges. 
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Accordingly, the examiner's decision is reversed. 

REVERSED 




ERROL A. KRASS 



Administrative Patent Judge 
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